A guest contribution by our expert Andreas Schlayer in the trade magazine Insurance Day. First published there on October 8, 2025.

While growing automation and digitalisation hold tremendous opportunities for businesses, they also harbour new risks. Cyberattacks and the resultant downtimes for IT systems can not only limit the functionality of digital systems, but also cause significant physical damage. Many companies underestimate this risk and are therefore uninsured or underinsured against it, since traditional policies chiefly exclude physical damage from cyberattacks. The result: a substantial coverage gap that needs to be identified and closed – with efficient and tailored insurance solutions.

Physical property damage from cyberattacks – a growing threat

The automation of business processes can offer organisations material gains in productivity and efficiency. In the course of business, digital and property values are inseparably bound to one another. Yet the Internet of Things (IoT) has opened not only new avenues for optimising processes, but also new back doors for cyberattacks. Though the seamless exchange of data between devices and systems makes real-time monitoring, proactive maintenance, and high agility possible, these very same criteria are also highly relevant for attack vectors, especially in connection with third-party providers and remote access to systems.

Consequently, critical infrastructures are now more vulnerable to cyberattacks. Further, highly integrated and digitalised production systems make tempting targets for cyber criminals, whose attacks can produce losses in the billions, and even fatalities. Nevertheless, many companies and organisations still fail to appreciate the attendant potential for damage.

The dynamic changes underway, e.g. in production processes, underscore the need for appropriate risk management. By the end of 2023, an estimated 16.6 billion IoT devices were networked around the globe and more than 60% of manufacturers had integrated IoT technologies in their production or assembly processes. The subsequent integration of AI in IoT systems was one of the most important trends in 2024. The rollout of Siemens Industrial Copilot has been cited as a prime example from the market-leading segment. These developments show how closely digital and physical systems are now intertwined, and how important it is to understand and manage the risks this entails.

Potential scenarios for physical damage from cyberattacks

Historical attacks like Stuxnet (2010) and Triton (2017), as well as those on steel mills in Iran (2022) and Germany (2014), have demonstrated the destructive potential of cyberattacks on industrial plants. This chiefly involves property damage to production facilities, as well as the resultant financial losses, e.g. from standstills. Potential scenarios for physical damage from cyberattacks encompass a range of attack types in which digital manipulations can do real-world damage to facilities, infrastructures or devices:

• Manipulation of industrial facilities:
  Hackers could attack the control systems for industrial plants and manipulate e.g. temperature sensors or release valves, resulting in overheating, rising pressure, or explosions.
  A well-known example is the attack on an Iranian steel mill in 2022, when the hacker group “Predatory Sparrow” managed to gain access to the plant, most likely through a back door in a third-party software package. The group entered malicious code to gain access to the IoT system’s human-machine interface, which was connected to the Internet, their goal being to deactivate the gas-venting step in the refinement process. The gas trapped in the molten steel caused the vat to spill over, which started a fire. The group also hacked the plant’s security cameras so they could see the results and subsequently post the video online.
• Sabotage of ships through cyberattacks:
  Hackers could manipulate the propulsion systems of ships, e.g. container ships, to disable them. This could result in collisions with other ships or, in the worst-case scenario with poor weather, the ship in question capsizing, which would mean extreme risk to life and limb for the crew, as well as massive property damage to the ship and its cargo.
• Cyberattacks on building control systems: 
  Cyber criminals could take control of critical systems in modern high-rises, like the heating, water pumps, or ventilation systems. In Smart Buildings, this can result in large-scale blackouts and massive property damage. For example, in regions characterised by extremely low temperatures, a targeted attack on heating systems in winter could cause water pipes to freeze and burst. In addition, hackers could manipulate fire protection systems like sprinklers and smoke detectors, which could have disastrous consequences in the event of a fire.
• Manipulation of hydroelectric power stations or dams:
  Once unauthorised system access has been gained, hackers could e.g. open sluices, causing flooding and, in turn, serious damage to buildings and infrastructure.
• Cyberattacks on major construction projects:
  Cyberattacks can produce critical disruptions in major construction projects, sabotaging e.g. the design software, major implements, or vital construction material suppliers, which can lead to property damage and prolonged standstills. This not only means direct financial losses, but also substantial financing risks, as investors are confronted with delays and additional costs. While the digitalisation of the construction industry has boosted efficiency, it has also made projects more vulnerable to cyberattacks.

As these scenarios show, cyberattacks can increasingly produce concrete property damage ranging from production shutdowns and environmental disasters to traffic or shipping accidents. In the age of AI this threat is growing, particularly in sectors where physical damage can have serious financial and reputation-related consequences.
The list of potentially affected sectors is long: examples include the chemical and coal & steel sectors, healthcare, energy providers, food & agriculture, traffic systems, water & wastewater systems, and hotels & hospitality.

Closing the insurance gap

Traditional cyber insurance policies don’t normally cover property damage or directly related financial losses from cyberattacks. In property insurance, exclusion clauses (e.g. LMA 5400 and LMA 5401) have been introduced to explicitly exclude cyber risks from property policies and control “silent cyber risk”. With these exclusions in place, physical damage directly or indirectly caused by cyberattacks is not covered. Accordingly, there is an urgent need to close the coverage gap between cyber and property insurance. Here it should be kept in mind that cyberattacks can not only produce property damage, but also personal injury.

Tailored coverage solutions for property damage from cyberattacks

The good news for those sectors reliant on insurance: special-purpose insurance solutions have been developed to close this gap. Companies can purchase an affirmative property damage extension, either as an addition to their current cyber policy or separately. The extension explicitly covers physical property damage and resulting financial losses caused by targeted hacker attacks or the technical failure of computer systems.

Alternatively, they can select a specially designed cyber gap policy, which “un-excludes” those risks excluded by the LMA clauses. This policy provides compensation for policyholders when targeted hacker attacks or the technical failure of computer systems result in physical property damage. It does so on the basis of the conditions in the property insurance policy purchased, which otherwise excludes this coverage via the LMA 540X clause.

In this regard, it is essential to carefully review the terms of coverage and loss potentials, so as to ensure that the specific risks (scope of coverage, requisite sum insured) are adequately reflected.

Specific recommendations for companies

Closing the coverage gap for cyber risks with potential property damage takes more than just purchasing insurance. The following steps are necessary:

1. Conducting a comprehensive risk assessment of potential property damage in connection with targeted hacker attacks. Here, IT systems, the production control infrastructure (e.g., OT, IoT), and the building control technology (e.g., KNX, Modbus, BACnet) should be included.
2. Reviewing existing policies: The terms of coverage in existing property and cyber policies must be thoroughly reviewed to determine which types of damage are covered and where gaps remain.
3. Applying special-purpose insurance solutions: When it comes to closing coverage gaps, special-purpose insurance solutions like affirmative property damage or cyber gap policies can help. They specifically cover those types of physical property damage that can result from cyberattacks and are excluded in standard policies.
4. Enhancing their own security measures: Insurance only covers the residual risk – accordingly, companies are well advised to specifically look for shortcomings in their own security measures that could allow a hacker to produce property damage. When, in the next step, measures are taken to close all potential back doors, it can not only minimise the probability of a cyberattack but also the scope of resulting damage to an extent that taking out an insurance policy becomes financially attractive.

Based on extensive expertise, Munich Re is best positioned to support companies optimally assess, mitigate and cover these risks. Our tailored solutions can prevent property damage from cyberattacks.